Precoding-Codebook-Based Secure Uplink in LTE

ABSTRACT

A Precoding-codebook-base Secure Uplink (PSU) scheme is proposed to utilize the channel reciprocity, uniqueness, and randomness in solving the secure initiation problem. A UE receives a first reference signal via first downlink channel in a mobile communication network. The UE performs channel estimation based on the first reference signal and thereby obtaining a first channel response matrix of the first downlink channel. The UE then encodes secrecy information onto a second reference signal. The UE transmits the second reference signal via a second uplink channel. The secrecy information is hidden in the uplink channel through a precoding operation such that the secrecy information can be extracted when the second uplink channel is reciprocal to the first downlink channel.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority under 35 U.S.C. §119 from U.S.Provisional Application No. 61/866,597, entitled“Precoding-codebook-based Secure Uplink in LTE,” filed on Aug. 16, 2013,the subject matter of which is incorporated herein by reference.

TECHNICAL FIELD

The disclosed embodiments relate generally to wireless networkcommunications, and, more particularly, to precoding-codebook-basedsecure uplink transmission in LTE networks.

BACKGROUND

In advanced 3.5G to 4 G communication standards (e.g., Long TermEvolution (LTE) and LTE-advanced), security has been an important issuedue to the increasing attention on user privacy. Compared to 2G GlobalSystem for Mobile Communications (GSM), the Evolved Packet System (EPS)that comprises LTE and System Architecture Evolution (SAE) has strongerprotection on information security. For example, the authenticationprocess in GSM only allows the serving network (SN) to authenticate themobile stations, and the mobile station cannot authenticate the SN. Fakebase stations thus can be transparent by imitating the mobile stationsand forwarding their messages to the genuine base stations. This is thefamous man-in-the-middle attack. The EPS, on the other hand, introducesmutual authentication between the SN and UEs. Therefore, EPS hasresistance to man-in-the-middle attacks. Nevertheless, backwardcompatibility with GSM or General Packet Radio Service (GPRS) can stillresult in the risks of being attacked.

Despite the security improvement in the EPS, there are still somesecurity issues remaining unsolved. For instance, the InternationalMobile Subscriber Identity (IMSI) is a special sequence of numbersunique for each mobile user in the cellular network. It serves as anidentification that allows the Mobility Management Entity (MME) in theSN to authenticate the UE. To prevent eavesdroppers from obtaining theIMSI and accordingly having the ability to track the UE, the IMSI shouldbe sent as infrequently as possible. For not revealing IMSI often, theMME will allocate Global Unique Temporary UE Identity (GUTI) after theUE establishes connection with the SN. Hence, the UE can mask its IMSIby transmitting the GUTI for the authentication process afterwards.However, the association between IMSI and GUTI is stored in the localMME and Home Subscriber Server (HSS). If the UE goes to a new area withnew operators, the new networks can only fetch the association betweenthe IMSI and GUTI from the old network. If the address of the home SN isnot known or the connection between the local SN and the home SN fails,the local SN cannot retrieve the association anymore. As a result, theIMSI must be sent first to get initial authentication. Therefore, inplaces such as airports, the transmission of IMSI is not preventable,which makes eavesdropping and tracking possible.

The above problem is referred to as a secure initiation problem wherepassive eavesdroppers present as security threats. The secure initiationproblem is not restricted to the security of the IMSI. It concerns thesecurity of any confidential information sent before a securetransmission link is established. For example, the SN and the UE need tohave an agreement on secret keys to allow cryptography schemes to work.The security transmission link is referred to as the establishment ofsymmetric cryptosystems such as Data Encryption Standard (DES) andAdvanced Encryption Standard (AES) that use the same secret key forencryption and decryption. The symmetric cryptosystems are secure if thesymmetric key is only known to the eNodeB and the legitimate UEs.

Nevertheless, once the secrecy assumption of the key does not hold(i.e., the eavesdropper has the secret key), then the symmetriccryptosystems are not safe anymore.

Therefore, protecting the confidential messages such as the secret keybefore the establishment of the symmetric cryptosystems is extremelyimportant.

Applying asymmetric cryptography (e.g., RSA and Diffie-Hellman keyexchange) to protect the symmetric secret key or IMSI is a possiblesolution to the secure initiation problem. The basic idea of asymmetriccryptography is to use different keys for encryption and decryption. Byconcealing the decryption key, the computation complexity of decryptingthe confidential messages with the knowledge of only the encryption keyis so high that eavesdroppers cannot finish the decryption in time. Asuccessful decryption by a super computer usually takes over ten years.However, asymmetric cryptography has much more computation complexity inkey generation, encryption, and decryption than the symmetriccryptography even though both keys are known. In addition, theasymmetric cryptography generally needs much larger secret keys than thesymmetric cryptography (over ten time usually) to achieve the same levelof security. Hence, due to the hardware cost, time efficiency, and powersaving concerns, the asymmetric cryptography is not suitable for userdevices.

To solve the secure initiation problem and to overcome the disadvantageof the asymmetric cryptography, security mechanisms can be built on thephysical layer. Specifically, in wireless environments withTime-Division Duplex (TDD) schemes, the MIMO channel from the eNodeB tothe UE and that from the UE to the eNodeB are identical by the operationof conjugate transpose (i.e., adjoint). On the other hand, the channelsseen by eavesdroppers would be very different from the eNodeB-to-UEchannel. In addition, channel realization would vary significantlythrough coherence time, which imposes a great difficulty for theeavesdroppers to predict. Hence, due to the reciprocity, uniqueness, andrandomness of the channel, the eNodeB and the UE can quantize theirobservations on the channel to generate identical secret keys withoutexplicitly transmitting the secret keys.

However, there are three major challenges ahead. First, because ofchannel estimation errors, the secret keys generated by the eNodeB andthe UE might not match each other. How to quantize the channel so thatthe key error rate (KER) or the probability of key mismatch between theeNodeB and the UE is acceptably low is an issue. Second, althougheavesdroppers cannot see the channel experienced by the eNodeB and theUE, they may still try to predict the channel by reconstructing thephysical environment. For simple environments such as an empty room, itis possible to simulate the surroundings and rebuild the channels by,for example, ray tracing. Third, although channel will vary from time totime, the variation depends on the speed of the eNodeB and the UE. Ifthe channel experiences slow fading, the secret keys that generated fromtime to time will have a great amount of correlation. Such a phenomenonis harmful to security since once an eavesdropper happens to have asecret key, the key might be used to predict the other keys. Therefore,channel reciprocity based physical layer security schemes should bedesigned tolerable to the key mismatch problem, the physicalreconstruction hazard, and the slow fading channel.

SUMMARY

A physical-layer scheme in LTE MIMO OFDM systems based on precodingcodebooks and rotation on channel matrixes is proposed. Specifically, aPrecoding-codebook-base Secure Uplink (PSU) scheme is proposed toutilize the channel reciprocity, uniqueness, and randomness in solvingthe secure initiation problem. The PSU scheme takes an emphasis on theuplink secrecy feedback by letting the UE to hide its secret informationby choosing the precoding matrix that is applied to the uplinkDe-Modulation Reference Signals (DMRSs). In addition to solve the secureinitiation problem, it is also possible to use the PSU scheme togetherwith traditional encryption techniques, i.e. after initiation.

Suppose that the UE wants to transmit symmetric secret keys to theeNodeB, the UE can generate its own secret keys in a uniform random way,which overcomes the slow fading channel problem. Specifically, thesecret information is hidden in the right singular matrices of thechannel through codebook-based precoding operation. The UE partitionsthe secret information and maps into Precoding Matrix Index (PMI) in theLTE precoding codebooks where each precoding matrix in the codebook canbe used as a quantization point for the space of the right singularmatrices. Since the LTE standard specification has already defined itsprecoding codebooks (e.g., DFT codebooks and householder codebooks) fordifferent antenna and rank settings, the PSU scheme has no need to addnew codebooks into the current LTE standards. Furthermore, the eNodeBconstantly rotate the Cell-Specific Reference Signals (CRSs) so that therotated channel imposes difficulties for the eavesdroppers to predictthe eNodeB-to-UE channel by reconstructing physical environments.

Apart from emphasizing uplink secrecy feedback, the PSU scheme isdifferent in terms of using a distinct vector-wise chordal distancemeasure to enhance the tolerance to noise and generality of the system.The PSU scheme is also backward compatible and does not affect thechannel estimation of legacy UEs or those UEs that do not support such asecurity feature.

Other embodiments and advantages are described in the detaileddescription below. This summary does not purport to define theinvention. The invention is defined by the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A illustrates an EPS Authentication and Key Agreement (AKA)procedure.

FIG. 1B illustrates a precoding-codebook-based secure uplink (PSU)procedure in a mobile communication system in accordance with one novelaspect.

FIG. 2 illustrates simplified block diagrams of a user equipment and abase station in a wireless system in accordance with one novel aspect.

FIGS. 3A-3C illustrate channel characteristics for applying PSU in awireless system.

FIG. 4 illustrates the transmission of CRS and DMRS for downlink anduplink channel estimation for applying PSU in a wireless system.

FIG. 5 illustrates different channel response matrixes between a UE, aneNodeB, and an eavesdropper for applying PSU in a wireless system.

FIG. 6 illustrates one embodiment of a procedure for applying PSU in awireless system.

FIG. 7 illustrates one embodiment of encoding secrecy information ontoreference signals via precoding matrix indexes (PMIS).

FIG. 8A illustrates backward compatibility of a PSU scheme in a FDDwireless system.

FIG. 8B illustrates backward compatibility of a PSU scheme in a TDDwireless system.

FIGS. 9A-9C illustrate the eavesdropper's capability of breaking the PSUscheme with respect to the distance in wavelengths between theeavesdropper and the eNodeB.

FIGS. 10A-10B illustrate the definition of distance used in thesimulation results of FIGS. 9A-9C.

FIG. 11 shows the total bits of a secret key to be transmitted from theUE to the eNodeB in order to attain a certain secret level.

FIG. 12 shows the influence of the channel estimation error to the PSUscheme with different MIMO schemes and distance measures.

FIG. 13 is a flow chart of a method of applying the PSU scheme from UEperspective in accordance with one novel aspect.

FIG. 14 is a flow chart of a method of applying the PSU scheme fromeNodeB perspective in accordance with one novel aspect.

DETAILED DESCRIPTION

Reference will now be made in detail to some embodiments of theinvention, examples of which are illustrated in the accompanyingdrawings.

To establish a secure connection, communication systems should provide amechanism from the mutual authentication and secret key sharing betweenthe mobile users and the network. In particular, the Evolved PacketSystem (EPS) has an Authentication and Key Agreement (AKA) procedurethat allows the serving network (SN) and user equipment (UE) toauthenticate each other and agree on a symmetric key for the future dataencryption and decryption.

FIG. 1A illustrates the EPS AKA procedure in an LTE network. The LTEnetwork comprises a UE, an MME, and an HSS/AuC. In step 1, the UEtransmits its IMSI or GUTI through the wireless medium and backbone tothe MME. Note that the IMSI is originally stored in a tamper resistantUniversal Subscriber Identity Module (USIM). In step 2, the MME forwardsthe IMSI and its Serving Network (SN) ID to a Home Subscriber Server(HSS) of the UE. In step 3, the HSS verifies the identity of the MMEthrough SN ID and the identity of the UE through IMSI with the help ofan Authentication Center (AuC). The HSS and AuC together generate acipher key (CK), an integrity key (IK), and an authentication vector(AV) which consists of a random sequence (RAND), an expected response(XRES), a local master key (Ka), and an authentication token (AUTN).Note that the Ka is binding to the SN ID as an implicit SNauthentication. In step 4, the HSS sends the AV to the MME. In step 5,the MME uses the Ka to derive the CK and the IK if it has the correct SNID. The MME then challenges the UE by sending the RAND and the AUTN. Instep 6, the USIM first verifies the AUTN. If the AUTN is correct, theUSIM then takes the AUTN and the RAND as input to generate a response(RES), the CK, the IK, and the Ka. In step 7, the UE sends the RES tothe MME. Finally, in step 8, the MME checks if the RES from the UEmatches the XRES from the HSS and AuC. If they match, then theconnection is established.

Due to the AKA procedure, the EPS is much securer than the GSM, GPRS,and its predecessor, Universal Mobile Telecommunications System (UMTS).However, there are still some security problems existing in the EPS AKAprocedure, which is referred to as the secure initiation problem in theBACKGROUND. In order to solve the secure initiation problem, the UEneeds to have the capability of concealing its confidential messages(e.g., IMSI, GUTI, RAND, and AUTN) so that only the authorized eNodeB orSN instead of the eavesdropper can obtain them.

A conventional way of dealing with the problem is to apply theasymmetric cryptography for its merit of separating public and privatekeys. However, even though it is really impossible to find solutions inpolynomial time, there are still main drawbacks of the asymmetriccryptosystems: 1) the complexity of encryption and decryption even withthe knowledge of the keys may not be tolerable for mobile devices due topower and computation speed limitation; 2) the protection of the secretmessages is greatly compromised in asymmetric cryptosystems, forexample, RSA; 3) the restricted infrastructure of using the sameasymmetric cryptosystems brings too much overhead and burden incoordination and implementation. In the consequence of the drawbacks,security can be achieved in the physical layer.

It is information-theoretically possible to securely transmitconfidential messages from the transmitter to the legitimate receiver bymerely channel coding techniques if the channel from the transmitter tothe eavesdropper is a degraded version of that from the transmitter tothe legitimate receiver. The channel coding schemes aiming at providingsecurity are named secrecy channel coding. Particularly, the security isachieved in the sense that even though the channel coding methods arerevealed to the eavesdropper, she is still not be able to obtain anyinformation from the confidential messages. This kind of security isreferred to as perfect secrecy. Through the years, the theoretic boundson secure information have been investigated in different channelassumptions such as broadcast channels, Gaussian channels, fadingchannels, and MIMO channels. Although some researchers have proposedillustrations of using LDPC codes for secrecy channel coding, there areno practical schemes developed to provide security in the physicallayer.

Apart from hiding secret messages through channel coding, anotherresearch direction on physical layer security is to establish secret keyagreements between the transmitter and the legitimate receiver. Thiskind of physical layer security primarily looks into generating secretkeys via correlated randomness that is usually extracted from thewireless channel in between. Then cryptography algorithms can use thosekeys to protect system security. There are two main steps, informationreconciliation and privacy amplification. In the informationreconciliation phase, two legitimate users respectively generate randomsequences based on the observation of their channel. Ideally, they aresupposed to obtain the same random sequences. However, because of thechannel estimation error, noise, and interference, the sequences willnot coincide with each other. Public discussion is thus needed. The twousers reveal some information regarding their sequences through abroadcast channel where eavesdropping could happen. They then use theinformation to make their sequences identical. However, the portion ofinformation transmitted through the broadcast channel in this case isnot secure anymore. Therefore, in the privacy amplification phase, thetwo users eliminate that information by using, for example, universalhash function to obtain the secret keys that are identical and have noinformation exposed to the possible eavesdroppers. Then the symmetriccryptography algorithms can be applied by using those secret keys. As aresult, the physical layer security on secrecy sharing is unlike the oneon secrecy channel coding that does not consist of any cryptographyalgorithms. It resorts to the symmetric cryptosystems to achievesecurity. Interestingly, such a design feature is closely related to thesecure initiation problem in which secure communications can only beestablished after the sharing of confidential IMSI, random challengesequences, secret keys, etc. Hence, a precoding-codebook-based secureuplink (PSU) scheme is proposed, which is built on top of the ideas ofsecrecy sharing through physical layer security.

FIG. 1B illustrates a precoding-codebook-based secure uplink (PSU)procedure in a mobile communication system 100 in accordance with onenovel aspect. Mobile communication system 100 comprises a user equipmentUE 101 and a base station eNodeB 102. In step 111, eNodeB 102 generatesa rotated reference signal. In step 112, eNodeB 102 transmits therotated reference signal to UE 101. In step 121, UE 101 performs channelestimation based on the received reference signal. In step 122, UE 101performs secrecy generation, which matches the secret information to aplurality of PMIS in a predefined codebook corresponding to a pluralityof precoding matrices. UE 101 then maps the precoding matrices on REscorresponding to the position of DMRSs. In step 123, UE 101 performssecrecy feedback, which generates a rotated version of DMRSs based onthe left singular matrix of the estimated channel. In step 124, UE 101transmits the rotated DMRSs to eNodeB 102. In step 131, eNodeB 102obtains channel estimation based on the received DMRSs. In step 132,eNodeB 102 performs secrecy extraction and extracts the secretinformation based on a vector-wise chordal distance measure.

FIG. 2 illustrates simplified block diagrams of a user equipment 201 anda base station 221 in a wireless system in accordance with one novelaspect. UE 201 comprises memory 202, a processor 203, an RF transceiver204, and an antenna 205. RF transceiver 204, coupled with antenna 205,receives RF signals from antenna 204, converts them to baseband signalsand sends them to processor 203. RF transceiver 204 also convertsreceived baseband signals from processor 203, converts them to RFsignals, and sends out to antenna 205. Processor 203 processes thereceived baseband signals and invokes different functional modules toperform features in UE 201. Memory 202 stores program instructions anddata 206 to control the operations of UE 201. The program instructionsand data 206, when executed by processor 203, enables UE 201 to performprecoding-codebook-based secure uplink transmission according to novelaspects of the invention.

UE 201 also comprises various function modules including a control andconfiguration module 211 that receives control and configurationinformation from the network, an encoding and mapping module 212 thatencodes UE secrecy information to PMIS and then mapping correspondingprecoding matrices to DMRSs, a channel estimation module 213 thatperforms downlink channel estimation, and a rotator that rotates UEreference signals (DMRSs) to be sent to the network. The differentcomponents and modules may be implemented in a combination of hardwarecircuits and firmware/software codes being executable by processor 203to perform the desired functions. Similarly, eNodeB 221 comprises memory222, a processor 223, a transceiver 224 coupled to one or multipleantennas 225, and eNodeB 221 also comprises various function modulesincluding a control and configuration module 231, a decoder/de-mapper232 that extracts UE secrecy information, a channel estimation module233 that performs uplink channel estimation, and a rotator 234 thatrotates eNodeB reference signals (CRSs) to be sent to UEs.

FIGS. 3A-3C illustrate channel characteristics for applying PSU in awireless system. PSU scheme utilizes the channel reciprocity, uniquenessand randomness in solving the secure initiation problem. FIG. 3Aillustrates the randomness if a channel, e.g., the channel response|h(t)| various randomly with time, which masks the secret information.FIG. 3B illustrates the uniqueness of a channel, e.g., the channelresponse h1 from a genuine eNodeB to an authorized UE is different fromthe channel response h2 from the genuine eNodeB to an eavesdropper(h2≠h1), which prevents eavesdropping. FIG. 3C illustrates the channelreciprocity, e.g., the channel response h_(UL) of an uplink (UL) channelis equal to the channel response h_(DL) of a corresponding downlink (D1)channel (h_(UL)=h_(DL)), which ensures the correct delivery.

FIG. 4 illustrates the transmission of CRS and DMRS for downlink anduplink channel estimation for applying PSU in a wireless system.Consider a simple LTE network where there are an eNodeB, a UE, and aneavesdropper. Assume that the eNodeB, the UE, and the eavesdropperrespectively have M, N, and K antennas. In the LTE MIMO-OFDM system,modulated symbols are allocated on resource elements (REs) along timeand frequency indices. The PSU scheme requires both the eNodeB and theUE to do channel estimation. In the downlink channel, the eNodeBtransmits cell-specific reference signals (CRSs) on some REs withinevery resource block. Every transmit antenna has its own dedicated CRSsthat are QPSK symbols known to the UEs. Suppose that the CRSs arescheduled on the REs with index set T1 in time and F in frequency. Inthe uplink channel, the UE uses Zadoff-Chu sequences to generate uplinkdemodulation reference signals (DMRSs). Suppose that the UE transmitsDMRSs of which the frequency index set is the same as that of the CRSs,i.e., F, and the time index set T2 corresponds to that of the CRSs butwith a delay t0, i.e., T2={t+t0|t εT1}.

FIG. 5 illustrates different channel response matrixes between a UE, aneNodeB, and an eavesdropper for applying PSU in a wireless system.Denote the downlink channel matrix from the eNodeB to the UE asH_(BU)(t1, f1) εC^(N×M) where the subscripts B and U stand for eNodeBand UE respectively, t1 εT1 is the time index, and f1 εF is thefrequency Index. Assume that the system is Time Division Duplex (TDD) sothat the channel reciprocity between the uplink and downlink holds. Inorder to fully utilize channel reciprocity, the delay t0 must be lessthan channel coherence time. For example, if the UE moves with a speedof 3 km/h, the channel coherence time is about 76 ms according to theformula given by T_(d)=0.423/f_(d), where f_(d) is the Dopplerfrequency. Such coherence time is much longer than the 10 ms radioframe. The channel experienced in this time interval is thereforeapproximately the same. As a result, let the uplink channel matrix beH_(UB)(t2, f2)=H_(BU) ^(T)(t1, f1)|(t1=t2−t0, f1=f2), where t2 εT2 andf2 εF. Note that subscript 1 and 2 are used to represent the downlinkand uplink channel estimation respectively. Assume that the eavesdropperis a passive listener. As illustrated in FIG. 5, let the channel matrixfrom the eNodeB to the eavesdropper and that from the UE to theeavesdropper be denoted by H_(BE) (t1, f1) εC^(K×M) and H_(UB) (t2, f2)εC^(K×N) respectively.

Since the eNodeB has sufficient power and can conduct CRS boosting, thedownlink channel estimation is assumed ideal. However, the eNodeB cannotobtain perfect uplink channel estimation since the UE, as a mobiledevice, has limited power in transmitting DMRSs. To model estimationerrors, suppose that the eNodeB receives DMRSs from the UE for t2 εT2and f2 εF given by

$\begin{matrix}\begin{matrix}{{Y_{B}\left( {{t\; 2},{f\; 2}} \right)} = {{{H_{UB}\left( {{t\; 2},{f\; 2}} \right)}{\gamma \left( {{t\; 2},{f\; 2}} \right)}} + {N_{B}\left( {{t\; 2},{f\; 2}} \right)}}} \\{= {{{H_{UB}\left( {{t\; 2},{f\; 2}} \right)}\begin{bmatrix}{r_{1}\left( {{t\; 2},{f\; 2}} \right)} & \ldots & 0 \\\vdots & {r_{2}\left( {{t\; 2},{f\; 2}} \right)} & \vdots \\0 & \ldots & {r_{N}\left( {{t\; 2},{f\; 2}} \right)}\end{bmatrix}} +}} \\{{N_{B}\left( {{t\; 2},{f\; 2}} \right)}}\end{matrix} & (1)\end{matrix}$

Where

-   -   γ(t2, f2) is an diagonal matrix with entries r₁ (t2, f2) . . .        r_(N)(t2, f2) being the DMRSs of transit antenna 1 to N        respectively;    -   N_(B) is an M by N noise matrix of which entries are i.i.d.        zero-mean Gaussian random variables with variance σ_(N) ².

Let the DMRSs have equal power P, i.e., |r₁(t2, f2)|²= . . . =(r_(N)(t2,f2)|²=P. Note that we assume that γ(t2,f2) is diagonal for convenience,but an orthogonal matrix would be sufficient. Since the DMRSs are knownto the eNodeB, the estimate of the uplink channel turns out to be

Ĥ _(UB)(t2,f2)=PH _(UB)(t2,f2)+N′ _(B)(t2,f2)  (2)

Where

-   -   N′_(B)(t2,f2)=PN_(B)(t2,f2)γ⁻¹(t2,f2) still has entries as        i.i.d. zero-mean σ_(N) ²-variance Gaussian random variables.

The proposed PSU scheme is related to limited feedback precoding.Precoding operation in MIMO systems can take advantage of the diversityand multiplexing gains. In the conventional precoding operation at timeand frequency (t,f), the eNodeB multiplies source signal vectors x(t,f)εC^(n) _(s) ^((t,f)×1) by an orthogonal precoding matrix F_(C)(t,f)εC^(M×n) _(s) ^((t,f)×1) before transmission. Here, the subscript C inF_(C)(t,f) denotes the conventional precoding matrix, and n_(s)(t,f) isthe transmission rank. The UE then gets the signaly(t,f)=H(t,f)F_(C)(t,f)×(t,f)+n(t,f) where n(t,f) is a Gaussian noisevector with the covariance matrix σ_(N) ²I. The MIMO capacity turned outto be

$\begin{matrix}{{C_{MIMO}\left( {t,f} \right)} = {\log \; {\det \left( {I_{N} + {\frac{P_{x}\left( {t,f} \right)}{\sigma_{n}^{2}{n_{s}\left( {t,f} \right)}}{H_{BU}\left( {t,f} \right)}{F_{c}\left( {t,f} \right)}{R_{x}\left( {t,f} \right)}{F_{C}^{H}\left( {t,f} \right)}{H_{BU}^{H}\left( {t,f} \right)}}} \right)}}} & (3)\end{matrix}$

Where

-   -   R_(x)(t,f) is the correlation matrix of the source vectors,        i.e., E[x(t,f)x^(H)(t,f)].    -   P_(x)(t,f) is the transmission power (i.e., trace(R_(x)(t,f))).

By matching F_(C)(t,f) to the right singular matrix of H_(BU)(t,f),every orthogonal column F_(C)(t,f) spans the space of a respectivesub-channel. The transmitter thus can efficiently control itstransmitting power on each sub-channel through water filling. In orderto fully apply precoding operation, the transmitter has to know thechannel matrices to the receiver. However, directly feeding back thecomplex-valued channel matrices would result in a big feedback overheadin FDD systems where channel reciprocity is not valid.

Therefore, in limited feedback systems, the receiver sends PMIS in aprecoding codebook instead. The precoding codebook is also known to thetransmitter so that it can find the precoding matrices corresponding tothe PMIS obtained from the receiver. Those precoding matrices in thecodebook can be regarded as channel quantization. Hence, we connect theconcept of quantization in the precoding codebook with secrecy sharingin physical layer security and propose to hide the confidential messagein precoding matrices through the uplink channel. Note that in a TDDuplink downlink system where channel reciprocity is applicable, PMIfeedback would be unnecessary. However, if the precoding codebook ispreserved for FDD systems, it can still be used in the PSU scheme.

FIG. 6 illustrates one embodiment of a procedure for applying PSU in awireless system 600. Wireless system 600 comprises a UE 601, an eNodeB602, and an eavesdropper 603. Suppose that the codebook is of size n,which has 2^(n) PMIS corresponding to 2^(n) unitary precoding matriceswith dimension N. For example, the codebook can be denoted by CB={F₁ . .. F₂ ^(n)}, with unitary precoding matrices F_(i) εC^(N×N) for i=1, 2 .. . 2^(n).

The first main step is Reference Signal Rotation performed by eNodeB602. In step 611, the eNodeB sends randomly rotated CRSsG(t1,f1)Γ(t1,f1), where G(t1,f1) is a unitary matrix only known by theeNodeB and Γ(t1,f1) is the CRS matrix known to the UE. For a fixed timet1, G(t1,f1) is randomly generated among f1 εF. For a fixed frequencyf1, the eNodeB can randomly renew G(t1,f1) periodically. The rotation ofthe original CRS is to further confuse the eavesdropper. In step 621,based on the received rotated reference signal G(t1,f1)Γ(t1,f1), the UEobtains the perfect channel estimation given by

H _(BU)(t1,f1)G(t1,f1)=U _(BU)(t1,f1)Σ_(BU)(t1,f1)V _(BU)^(H)(t1,f1)G(t1,f1)  (4)

Where

-   -   U_(BU)(t1,f1)Σ_(BU)(t1,f1)V_(BU) ^(H)(t1,f1) is the Single Value        Decomposition (SVD) of H_(BU)(t1,f1).

The second main step is Secrecy Generation performed by UE 601. The UEgroups its secret information into bit sequences with equal length n andmatches each sequence to a PMI in the codebook corresponding to aprecoding matrix. The UE then maps the precoding matrices on REscorresponding to the positions of DMRSs. Denote the assigned precodingmatrices at the time and frequency (t2, f2) as F(t2, f2) ε{F₁ . . . F₂^(n)}. FIG. 7 illustrates one embodiment of encoding secrecy informationonto reference signals via precoding matrix indexes (PMIS). In theexample of FIG. 7, the secret information is represented by a bit stream0100010111101001. The secret information is then grouped into four bitsequences 0100, 0101, 1110, and 1001, each bit sequence has equal lengthof 4-bit (n=4). Each bit sequence is then matched to a PMI in thecodebook corresponding to a precoding matrix. For example, bit sequence0100 is mapped to Row 01 and column 00, which corresponds to a PMI forprecoding matrix F₁₀. As a result, the entire secret information ismapped to PMIS corresponding to precoding matrices {F₁₀, F₁₁, F₃₂, F₂₁},which is denoted as F(t2,f2).

The third main step is Secrecy Feedback performed by UE 601, as depictedby step 622. At time and frequency indices (t2,f2)=(t1+t0, f1), the UEfeeds a rotated version of DMRSs back to the eNodeB given by

{tilde over (Y)}(t2,f2)=U* _(BU)(t2−t0,f2)F ^(H)(t2,f2)Y(t2,f2)

Where

-   -   U_(BU)(t2−t0, f2)=U_(BU) (t1, f1) can be obtained by SVD.

The fourth main step is Secrecy Extraction performed by eNodeB 602, asdepicted by step 612. First, the eNodeB obtains the channel estimationgiven by

$\begin{matrix}\begin{matrix}{{{\overset{\sim}{H}}_{UB}^{\prime}\left( {{t\; 2},{f\; 2}} \right)} = {{{{PH}_{UB}\left( {{t\; 2},{f\; 2}} \right)}{U_{BU}^{*}\left( {{{t\; 2} - {t\; 0}},{f\; 2}} \right)}{F^{H}\left( {{t\; 2},{f\; 2}} \right)}} + {N_{B}^{\prime}\left( {{t\; 2},{f\; 2}} \right)}}} \\{= {{{PV}_{BU}^{*}\left( {{{t\; 2} - {t\; 0}},{f\; 2}} \right)}{\Sigma_{BU}\left( {{{t\; 2} - {t\; 0}},{f\; 2}} \right)}{U_{BU}^{T}\left( {{{t\; 2} - {t\; 0}},{f\; 2}} \right)}}} \\{{{{U_{BU}^{*}\left( {{{t\; 2} - {t\; 0}},{f\; 2}} \right)}{F^{H}\left( {{t\; 2},{f\; 2}} \right)}} + {N_{B}^{\prime}\left( {{t\; 2},{f\; 2}} \right)}}} \\{= {{{{PV}_{BU}^{*}\left( {{{t\; 2} - {t\; 0}},{f\; 2}} \right)}{\Sigma_{BU}\left( {{{t\; 2} - {t\; 0}},{f\; 2}} \right)}{F^{H}\left( {{t\; 2},{f\; 2}} \right)}} + (6)}} \\{{N_{B}^{\prime}\left( {{t\; 2},{f\; 2}} \right)}} \\{= {P{{\overset{\sim}{V}}_{UB}\left( {{t\; 2},{f\; 2}} \right)}{{\overset{\sim}{\Sigma}}_{UB}\left( {{t\; 2},{f\; 2}} \right)}{{\overset{\sim}{F}}^{H}\left( {{t\; 2},{f\; 2}} \right)}}}\end{matrix} & (5)\end{matrix}$

Where

-   -   Equation (5) results from the channel reciprocity (i.e.,        H_(UB)(t2,f2)=H^(T) _(BU)(t2−t0,f2).

In equation (6), the SVD of {tilde over (H)}′_(UB)(t2,f2) is {tilde over(V)}(t2,f2){tilde over (Σ)}_(UB)(t2, f2){tilde over (F)}^(H)(t2,f2).

The eNodeB then extracts {tilde over (F)}^(H)(t2,f2) and matches themback to the PMI î(t2,f2) corresponding to the precoding matrix {tildeover (F)}(t2, f2)=F_(î(t2,f2)) εCB in the codebook. Those PMIS togetherform the estimate bit sequences representing the secret information fromthe UE.

From the above procedure, it can be seen that channel reciprocityprovides a secure link between the UE and the eNodeB. Furthermore, botheNodeB and UE rotate reference signals to confuse eavesdropper 603. Fromthe eNodeB side, instead of transmitting the regular CRSs, Γ(t1,f1), theeNodeB adds rotation on them, G(t1,f1)Γ(t1,f1) (see step 631). Throughthis step, the eNodeB confuses the eavesdropper and keeps her fromobtaining the true channel between the eNodeB and the UE.

On the other hand, from the UE side, the UE replaces the right singularmatrix of the uplink channel matrix with the precoding matrix (see step633). Such a replacement can also bewilder the eavesdropper. Bymultiplexing the original singular matrix U*_(BU)(t2−t0,f2) withprecoding matrix F^(H)(t2,f2), the spatial channel randomness propertyobscures the precoding matrix. Hence, by adding uncertainty in theuplink and downlink channel estimation, eavesdropper 603 cannotreconstruct the physical environments to predict the eNodeB-to-UEchannel anymore. In the meanwhile, the secret information such as IMSIor symmetric keys can be hidden in the precoding matrix securely. Theprecoding codebooks quantize the wireless channel into unitary spacesand reduce the influence of the channel estimation error.

It can been seen that the PSU scheme only uses channel estimation, PMImapping, and reference signal rotation. The computational complexity islow comparing to the asymmetric cryptography especially because channelestimation and PMI mapping have already been done in LTE physical layer.In addition, since the eNodeB and the UE can use the symmetriccryptography after applying the PSU scheme, the complexity of dataencryption and decryption afterwards would be very low. Therefore, thePSU scheme has low complexity, low power consumption, small changes tothe LTE standards, and flexibility in choosing the subsequent symmetriccryptosystems. The PSU scheme also provides backward compatibility.

FIG. 8A illustrates backward compatibility of a PSU scheme in a FDDwireless system. Suppose that a legacy UE 801 joins the network and isserved by eNodeB 802. In step 811, eNodeB 802 transmits rotatedreference signals G(t1,f1)Γ(t1,f1). UE 801 has no knowledge of the PSUscheme and therefore, does not know that the downlink reference signalsare rotated. In step 812, UE 801 performs channel estimation and obtainsthe channel as H_(BL)(t1,f1)G(t1,f1), where the subscript L stands forlegacy UE. In the case of FDD systems, in step 813, the legacy UE 801finds the best precoding matrix F_(L)(t1,f1) in the codebook thatapproaches the capacity by substituting H_(BU)(t1,f1)G(t1,f1) forH_(BL)(t,f) and F_(L)(t1,f1) for F_(C)(t,f) in equation (3). UE 801 thenfeeds back the PMI to eNodeB 802 in step 814. In step 815, eNodeB 802transmits the source vector x by applying beamforming or multiplexing asG(t1,f1)F_(L)(t1,f1)x, which ought to give the same system throughputdue to the random choice of the unitary matrix G(t,f).

FIG. 8B illustrates backward compatibility of a PSU scheme in a TDDwireless system. In TDD systems, since it is the responsibility of thelegacy UE to send reference signals, the eNodeB can directly apply thereciprocity property to obtain downlink channel estimation. In step 861,legacy UE 851 sends reference signal Γ(t2,f2). In step 862, eNodeB 852receives the reference signal and obtains channel estimationH_(UB)(t1,f1). In step 863, eNodeB 852 find the optimal precoding matrixF_(op)(t1,f1). In step 864, eNodeB 852 sends data as F_(op)(t1,f1)x.Therefore, the proposed PSU scheme is also backward compatible in TDDsystems.

For better performance of secrecy extraction, we need to determine thenearest precoding matrix {circumflex over (F)}(t2,f2) in the codebook tothe noisy observation {tilde over (F)}(t2,f2). For quantifying distancebetween precoding matrices, Chordal distance is widely adopted in theprecoding operations. It is one of the distance measures in Grassmannmanifolds. A Grassmann manifold of dimension m×n, denoted by G(m,n) is aset of n-dimensional subspaces in an m-dimensional space. In otherwords, G(m,n) is the set of m×n orthogonal matrices P where the quotientholds by right multiplying a unitary matrix on P (i.e., P=PG and G is anarbitrary n×n unitary matrix). For example, a point in G(m,1) is aunit-norm vector p εC^(m×1) which is equal to another unit-norm vector qεC^(m×1) if an only if p=qe^(jθ) for some θε[0,2π). In this case, p andq are the same point. Otherwise, they are different points in the G(m,1)Grassmann manifold. In G(m,n), for P, Q εG (m,n), the chordal distancebetween P and Q is defined as

d _(c)(P,Q)=√{square root over (n−∥Q ^(H) P∥ _(F) ²)}=√{square root over(n−trace(P ^(H) QQ ^(H) P))}=√{square root over (Σ_(k=1) ^(n)sin²(θ_(k)))}  (7)

Where

θ_(k) for k=1 . . . n are the principle angles between the two subspacesspanned by the columns of P and Q.

The Grassmann manifold is closely related to the space of the precodingmatrices. Consider the downlink MIMO capacity formula (3), assume thatthe channel matrix H_(BU)(t,f) εC^(N×M) has SVD U_(BU)(t,f) Σ_(BU)(t,f)V_(BU) ^(H) (t,f) where U_(BU)(t,f)εC^(N×N) and V_(BU)(t,f)εC^(M×M) areunitary matrices, and Σ_(BU)(t,f) εC^(N×M) is a diagonal matrix withreal diagonal entries aligned in a descending order. The capacity can berewritten as

$\begin{matrix}{{C_{MIMO}\left( {t,f} \right)} = {\log \; {\det \left( {I + {\frac{P_{x}\left( {t,f} \right)}{\sigma_{n}^{2}{n_{s}\left( {t,f} \right)}}{F_{C}^{H}\left( {t,f} \right)}{V_{BU}\left( {t,f} \right)}{\Sigma_{BU}^{2}\left( {t,f} \right)}{V_{BU}^{H}\left( {t,f} \right)}{F_{C}\left( {t,f} \right)}{R_{x}\left( {t,f} \right)}}} \right)}}} & (8)\end{matrix}$

In order to, for example, transmit on the L best sub-channels (i.e.,select the L largest singular values in Σ(t,f)), the precoding matrixF_(C)(t,f) has to match the subspace spanned by the correspondingcolumns of V_(BU)(t,f). Since F_(C)(t,f) only needs to be an orthonormalspanning matrix of the subspace, it is clear that choosing the precodingmatrix F_(C)(t,f)G for an arbitrary unitary matrix G is equivalent tochoosing F_(C)(t,f). Therefore, finding precoding matrices is equivalentto finding points in the Grassmann manifold.

Chordal distance does meet the needs of measuring how long two precodingmatrices separate from each other in the conventional precodingoperation. The nearest precoding matrix is found by taking the PMI withthe corresponding precoding matrix satisfying

î(t2,f2)=arg min_(i ε[1, . . . 2) _(n) _(]) d _(c)({tilde over(F)}(t2,f2),F _(i))  (9)

However, chordal distance fails to be a good distance measure in the PSUscheme. For example, since the precoding matrices in the PSU scheme aresquare, those full-rank precoding matrices are counted as one point inthe Grassmann manifold by applying chordal distance on them. Such aconcept works for the conventional precoding operation since full-ranktransmission chooses all the singular value of the channel matrices andevery unitary matrix can do it. However, the PSU scheme needs a distancemeasure to distinguish different precoding matrices even in thefull-rank case.

To solve the problem, observe that although the PSU scheme seems to beclosely connected to the precoding operation, it is more related to theSVD operation. Specifically, the SVD operation is unique as long asthere are no zero singular values, which is true with probability onefor random generated channel matrices. However, the uniqueness is in thesense that every corresponding right and left singular vector pairs canhave an equal but arbitrary phase shift or that their respective spannedone-dimensional subspaces are invariant. In other words, the SVD of thedownlink channel matrix with M>=N can be written as

$\begin{matrix}\begin{matrix}{{H_{BU}\left( {t,f} \right)} = {{U_{BU}\left( {t,f} \right)}{\Sigma_{BU}\left( {t,f} \right)}{V_{BU}^{H}\left( {t,f} \right)}}} \\{= {{\begin{bmatrix}{^{j\theta 1}u_{1}} & {^{j\theta 2}u_{2}} & \ldots & {^{{j\theta}\; N}u_{N}}\end{bmatrix}\begin{bmatrix}s_{1} & \ldots & 0 & 0 & \ldots & 0 \\\vdots & s_{2} & \; & \vdots & \; & \; \\0 & \ldots & s_{N} & 0 & \ldots & 0\end{bmatrix}} \cdot}} \\{\left\lbrack {\begin{matrix}{^{j\theta 1}v_{1}} & {^{j\theta 2}v_{2}} & \ldots & {^{{j\theta}\; N}v_{N}} & v_{N + 1} & \ldots\end{matrix}\mspace{14mu} v_{M}} \right\rbrack^{H}}\end{matrix} & (10)\end{matrix}$

Where

θ₁, . . . θ_(N) ε[0,2π).

As a result, even if there is no noise involved, the resulting {tildeover (F)}(t2,f2) will not be equal to F(t2,f2) but with phasedifferences along each columns. In view of the fact that every left orright singular vector should span the same one-dimensional subspace asthe original after SVD, it is proposed that the nearest PMI can be foundby

î(t2,f=arg min_(i ε[1, . . . 2) _(n) _(]) d _(v)({tilde over(F)}(t2,f2),F _(i))  (11)

With a vector-wise chordal distance measure defined as

d _(v)({tilde over (F)}(t2,f2),F _(i))=√{square root over(Σ_(k=)1^(N)(1−|[{tilde over (F)}(t2,f2,]_(k) ^(H) [F_(i)]_(k)|²))}  (12)

Where

[{tilde over (F)}(t2,f2)]_(k) and [F_(i)]_(k) are the respective kthcolumn vector of {tilde over (F)}(t2,f2) and F_(i).

The vector-wise chordal distance measure is introduced to lower theinfluence of the noise in channel estimation stage. Simulation resultsshow performance gain brought by this vector-wise distance measure.

Simulation Results

Simulation settings are provided in Table 1. Most of the settings arebased on LTE TS36.211 and TR25.996. We use the simulator, MATLABimplementation of the 3GPP Spatial Channel Model Extended (SCME). Weassume that a minimum of 72 subcarriers is allocated to the UE with eachsubcarrier occupying 15 kHz, with a total bandwidth of 1.08 MHz. The UEspeed is set to 8.3 m per second in 2×2 and 4×4 MIMO systems. The 2×2MIMO system uses 2-bit (4 indices) and 4-bit (16 indices) DFT codebooks,while the 4×4 MIMO system uses 4-bit Householder codebook. We alsoassume that the eavesdropper has the same antenna settings as the eNodeBin order to take advantage of the channel correlation to break thesystem security.

FIGS. 9A-9C illustrate the eavesdropper's capability of breaking the PSUscheme with respect to the distance in wavelengths between theeavesdropper and the eNodeB. Note that for a 2 GHz center frequency, thewavelength is about 15 cm. FIGS. 10A-10B illustrate the definition ofdistance used in the simulation results of FIGS. 9A-9C. Suppose that theUE wants to send an 80-bit symmetric key to the eNodeB and that there isno channel estimation error for the eavesdropper.

TABLE I SIMULATION SETTINGS Parameter Value Channel model SCME Channelscenario urban macro MIMO 2 × 2 and 4 × 4 Center frequency 2 GHz Totalbandwidth 1.08 MHz Subcarrier bandwidth 15 kHz Precoding Codebook DFTfor 2 × 2 MIMO Householder for 4 × 4 MIMO Channel coding [5, 7]convolutional codes UE speed 8.3 m/s Antenna pattern two dual-polarizedelements for 4 antennas one dual-polarized element for 2 antennasAntenna spacing 4 wavelengths spacing for eNodeB 2 wavelengths spacingfor UE Antenna slanted dipole 45 and −45 degree for eNodeB 0 and 90degree for UE

FIG. 9A shows that information-theoretically how much secret informationthe eavesdropper can obtain at different distance to the eNodeB. FIG. 9Bshows how may bits in the key the eavesdropper can have a right guess.It shows the number of correct bits that the eavesdropper can obtain vs.eavesdropper-to-eNodeB distance. FIG. 9C shows the empirical probabilityof successful decryption or obtaining entirely correct secretinformation by the eavesdropper.

It can be observed that the 2×2 MIMO system outperforms the 4×4 MIMOsystem. The reason is that in our settings the eNodeB and theeavesdropper in the 4×4 MIMO system have tow dual-polarized elementsseparated by 4 wavelengths. The separation results in higher correlationbetween the UE-to-eNodeB channel and the eavesdropper-to-eNodeB channelwhen the eavesdropper-to-eNodeB distance is small. Specifically, at thedistance of 4 wavelengths, the eavesdropper's extractable informationhas a local peach since a dual-polarized element from the eNodeB andanother form the eavesdropper happen to overlap and, accordingly, raisethe channel correlation.

Despite the high correlation when the eavesdropper is close to theeNodeB (with a distance less than 6 wavelengths or 90 cm), the overallsecret information the eavesdropper can get with a distance over 10wavelengths or 150 cm is very small. Such small amount of extractableinformation makes the probability of successful decryption by theeavesdropper approach zero and the portion of correct bits approximatelyhalf of the total key length. Notice that 150 cm is a short distance sothat it might be possible for the eNodeB to sense the near eavesdropper.The eNodeB can either tell the UE to abandon the key or emit artificialnoises to interfere the reception of the eavesdropper.

FIG. 11 shows the total bits of a secret key to be transmitted from theUE to the eNodeB in order to attain a certain secret level. Theeavesdropper-to-eNodeB distance is set to 10 wavelengths. We assume thatthere is no channel estimation error in the network. Such a conditioncan occur when the UE has sufficient power to transmit reference signalsor uses some channel coding schemes to protect the secret information.In can be seen that the number of information-theoretical bits the PSUscheme needs to spend is only one tenth of that of the RSA. Therefore,the PSU scheme provides a more efficient and low complexity solution tothe secure initiation problem than the asymmetric cryptography.

FIG. 12 shows the influence of the channel estimation error to the PSUscheme with different MIMO schemes and distance measures. Here, both thecodebooks of the 2×2 and 4×4 MIMO systems have 4 bits in size or 16precoding matrices. It can be observed that the KER is significantlylower by using the proposed vector-wise chordal distance measure (d_(v))than the original chordal distance measure (d_(c)) in the MOPRO scheme.A KER as low as 10⁻² can be achieved with SNR 18 dB. Note that there areno error correcting codes protecting the key bits from noises. Thelowest curve in the figure shoes the use of convolutional codes by which(d_(v)) has 2 dB gain in SNR at the 10⁻² KER. It can be expected that astronger error correcting codes such as turbo codes or LDPC codes shouldachieve even lower KER. Note that the 2×2 MIMO system has a very highKER in comparison with the 4×4 MIMO system. The reason is that with thesame codebook size but lower matrix dimension, the distance amongprecoding matrices in the codebook of 2×2 MIMO system are smaller thanthe 4×4 MIMO system. In consequence, small noise are enough to make theestimate of the precoding matrix diverge to other quantizations.

FIG. 13 is a flow chart of a method of applying PSU from UE perspectivein accordance with one novel aspect. In step 1301, a UE receives a firstreference signal via first downlink channel in a mobile communicationnetwork. In step 1302, the UE performs channel estimation based on thefirst reference signal and thereby obtaining a first channel responsematrix of the first downlink channel. In step 1303, the UE encodessecrecy information onto a second reference signal. In step 1304, the UEtransmits the second reference signal via a second uplink channel. Thesecrecy information is hidden in the second uplink channel through aprecoding operation such that the secrecy information can be extractedby the eNodeB when the second uplink channel is reciprocal to the firstdownlink channel. In one embodiment, the secrecy information contains aplurality of bits grouped into a number of bit sequences with equallength, and wherein each bit sequence is mapped to a Precoding MatrixIndex (PMI) according to a predefined codebook.

FIG. 14 is a flow chart of a method of applying PSU from eNodeBperspective in accordance with one novel aspect. In step 1401, an eNodeBtransmits a first reference signal via a first downlink channel in amobile communication network. In step 1402, the eNodeB receives a secondreference signal via second uplink channel, and the second referencesignal contains encoded secrecy information hidden in the second uplinkchannel through a precoding operation. In step 1403, the eNodeB performschannel estimation based on the second reference signal, and the seconduplink channel is reciprocal to the first downlink channel. In step1404, the eNodeB extracts the secrecy information from the secondreference signal based on a vector-wise chordal distance measure.

Although the present invention has been described in connection withcertain specific embodiments for instructional purposes, the presentinvention is not limited thereto. Accordingly, various modifications,adaptations, and combinations of various features of the describedembodiments can be practiced without departing from the scope of theinvention as set forth in the claims.

What is claimed is:
 1. A method of Precoding-codebook-based SecureUplink (PSU), the method comprising: (a) receiving a first referencesignal via a first downlink channel by a user equipment (UE) in a mobilecommunication network; (b) performing channel estimation based on thefirst reference signal and thereby obtaining a first channel responsematrix H_(BU) of the first downlink channel; (c) encoding secrecyinformation onto a second reference signal; and (d) transmitting thesecond reference signal via a second uplink channel, wherein the secrecyinformation is hidden in the uplink channel through a precodingoperation such that the secrecy information can be extracted when thesecond uplink channel is reciprocal to the first downlink channel. 2.The method of claim 1, wherein the secrecy information contains aplurality of bits grouped into a number of bit sequences with equallength, and wherein each bit sequence is mapped to a Precoding MatrixIndex (PMI) according to a predefined codebook.
 3. The method of claim2, wherein the second reference signal is a rotated version ofDemodulation Reference Signals (DMRSs), and wherein the rotation isbased at least in part on precoding matrixes having corresponding PMIS.4. The method of claim 3, wherein a Singular Value Decomposition (SVD)of the H_(BU) comprises a right singular matrix U_(BU) and wherein therotation is based at least in part on the U_(BU).
 5. The method of claim3, wherein the secrecy information is extracted by finding the nearestprecoding matrixes in the predefined codebook based on a vector-wiseChordal distance measure.
 6. The method of claim 1, wherein the firstreference signal is rotated with a random unitary matrix.
 7. The methodof claim 1, wherein the UE enables PSU for secure data transmission, andwherein the UE disables PSU for normal data transmission.
 8. A userequipment (UE), comprising: a receiver that receives a first referencesignal via a first downlink channel in a mobile communication network; achannel estimation module that performs channel estimation based on thefirst reference signal and thereby obtaining a first channel responsematrix H_(BU) of the first downlink channel; an encoder that encodessecrecy information onto a second reference signal; and a transmitterthat transmits the second reference signal via a second uplink channel,wherein the secrecy information is hidden in the uplink channel througha precoding operation such that the secrecy information can be extractedwhen the second uplink channel is reciprocal to the first downlinkchannel.
 9. The UE of claim 8, wherein the secrecy information containsa plurality of bits grouped into a number of bit sequences with equallength, and wherein each bit sequence is mapped to a Precoding MatrixIndex (PMI) according to a predefined codebook.
 10. The UE of claim 9,wherein the second reference signal is a rotated version of DemodulationReference Signals (DMRSs), and wherein the rotation is based at least inpart on precoding matrixes having corresponding PMIS.
 11. The UE ofclaim 10, wherein a Singular Value Decomposition (SVD) of the H_(BU)comprises a right singular matrix U_(BU) and wherein the rotation isbased at least in part on the U_(BU).
 12. The UE of claim 10, whereinthe secrecy information is extracted by finding the nearest precodingmatrixes in the predefined codebook based on a vector-wise Chordaldistance measure.
 13. The UE of claim 8, wherein the first referencesignal is rotated with a random unitary matrix.
 14. The UE of claim 8,wherein the UE enables PSU for secure data transmission, and wherein theUE disables PSU for normal data transmission.
 15. A method of performingsecret communication, the method comprising: (a) transmitting a firstreference signal via a first downlink channel by a base station in amobile communication network; (b) receiving a second reference signalvia a second uplink channel, wherein the second reference signalcontains encoded secrecy information hidden in the uplink channelthrough a precoding operation; (c) performing channel estimation basedon the second reference signal, wherein the second uplink channel isreciprocal to the first downlink channel; and (d) extracting the secrecyinformation from the second reference signal.
 16. The method of claim15, wherein the first reference signal is rotated with a random unitarymatrix.
 17. The method of claim 16, wherein the base station eithergenerates the random unitary matrix among a frequency band for a fixedtime, or generates the random unitary matrix periodically for a fixedfrequency.
 18. The method of claim 15, wherein the secrecy informationcontains a plurality of bits grouped into a number of bit sequences withequal length, and wherein each bit sequence is mapped to a PrecodingMatrix Index (PMI) according to a predefined codebook.
 19. The method ofclaim 18, wherein the second reference signal is a rotated version ofDemodulation Reference Signals (DMRSs), and wherein the rotation isbased at least in part on precoding matrixes having corresponding PMIS.20. The method of claim 18, wherein the extracting in (d) involvesfinding the nearest precoding matrixes in the predefined codebook basedon a vector-wise Chordal distance measure.